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Abstract. In this paper we generalize the classical Proth's theorem for inte- 
gers of the form N = Kp n + 1. For these families, we present a primality test 
whose computational complexity is 0(log 2 (7V)) and, what is more important, 
that requires only one modular exponentiation similar to that of Fermat's test. 
Consequently, the presented test improves the most often used one, derived 
from Pocklington's theorem, which usually requires the computation of several 
modular exponentiations together with some CCD's. 

AMS 2000 Mathematics Subject Classification: 11Y11,11Y16,11A51,11B99 

1. Introduction 

In 1877 P. Pepin (see [18]) presented the following result about the primality of 
Fermat numbers: 

Theorem 1 (Pepin, 1877). Let F n be the n-th Fermat number; i.e., F n = 2 2 ™ +1 
with n > 1. Then, F n is prime if and only if 3 = = — 1 (mod F n ). 

Although this theorem has not certified the primality of any new Fermat prime 
(by 1877 the 5 Fermat primes were already known), it is the first result which leads 
to a deterministic primality test requiring only one modular exponentiation similar 
to that of Fermat's test modulo N , thus of 0(log 2 N) complexity. 

One year after, using the same underlying ideas, Proth proved the following 
primality criterion for number of the form N — K2 n + 1, where K is odd and 
K < 2™ (Proth numbers) 

Theorem 2 (Proth, 1878). Let N = K2 n + 1, where K is odd and K < 2™. If 

N — 1 

a~2~ = — 1 (mod N) for some a £ Z, then N is prime. 

The next important step is the following 1914 result by Pocklington (see [T7]). 
which is the first generalization of Proth's theorem suitable for numbers of the form 
N = Kp n + 1: 

Theorem 3 (Pocklington, 1914). Let N — Kp n + 1 con K < p n . If, for some 
a E Z: 

i) a"" 1 = 1 (modN) 

ii) GCUfa^ - 1,JV) = 1 
Then, N is prime. 

Proth and Pocklington results are still useful. In fact they are the base of the 
popular software created by Yves Gallot's (Proth.exe) for the search of Proth and 
generalized Proth (N — Kp n + 1) primes. Other software based in a variation of 
Pocklington's Theorem presented by Brillhart, Lehmer and Selfridge (see [TD] or 
|12j ) is OpcnPFGW with which some records have been broken in different families 



2 



JOSE MARIA GRAU AND ANTONIO M. OLLER-MARCEN 



of integers. For instance, David Broadhurst has recently broken the record for the 
family N = 2 • 3" + 1 (sequence A003306 in the OEIS) certifying primality for 
n = 1175232, a number with 560729 digits and the 87-th biggest known prime 
(see for instance http:/ / pri mes.utm.edu /primes /lists/all. txt[ ) . An drawback of this 
software is that it usually requires the use of several bases and, consequently, the 
computation of several exponentiations modulo N. 

In recent times the most active researcher looking for primality criteria for num- 
bers of the form TV = Kp n + 1 has been P. Berrizbeitia. Bcrrizbeitia and his 
collaborators have found very efficient criteria for this kind of numbers for a variety 
of primes p (see |6l [7]). Even though similar criteria had been previously pre- 
sented by H.C. Williams and his collaborators (see [23l [22]) , the methodology used 
by Berrizbeitia et al. shows more clear and efficient. For these generalizations an 
analogous of Legendre symbol, the the m-th power residue symbol, has been used. 
It assumes values over the m-th roots of unity and it satisfies a higher order law of 
reciprocity. However, the use of the m-th power residue symbol present technical 
difficulties, mainly due to the fact that the ring 

Z[e 2 W m ] i s not a UFD in general. 
Other authors, such A. Guthmann (see [14]) and W. Bosma (see [9]), have also 
given generalizations of Proth's theorem using similar techniques but limited to the 
case p = 3. 

Our main contribution is a primality criterion for integers of the form N = 
Kp n + 1 with p being any prime and K < p n , using techniques similar to those 
in [13] for generalized Cullen Numbers (N — np n + 1). These techniques do not 
require the use of any m-th power residue symbol or higher order law of reciprocity. 
In this way we have achieved an even more clear and efficient methodology than 
that of Berrizbeitia. In fact, our primality criterion requires only one modular 
exponentiation a N ^ without a previous search of a suitable a. 

2. A Generalization of Proth's theorem 

The primality test which follows from Proth's theorem is very useful since, if 
N = K2 n + 1 is a prime (Proth Prime), then half the values of a satisfy the condition 
of the theorem. In particular it is satisfied by those a which are a quadratic non- 
residue modulo N; i.e., such that the Jacobi symbol (jj) = — 1. This observation 
is captured in the following version of Proth's theorem: 

Theorem 4 (Proth, 1878). Let N = K2 n +1, where K is odd and K < 2". Assume 
that a G Z is such that (-It) = —1. then: 

N-1 

Nis a prime if and only if a 2 = — \(mod N). 

In spite of the various generalizations presented in the introduction, the most 
natural generalization of this theorem had not been yet exhibited. We do so in the 
following result. In what follows $ p (X) will denote the p-ih cyclotomic polynomial. 

Theorem 5. Let N = Kp n + 1, where p is a prime, K < p n and gcd(K,p) = 1. 
Assume that a € Z is a p-th power non-residue, then: 

N-1 

Nis a prime if and only if <fr p (a i ) = (mod N). 
Proof. If A is a prime, then a^ -1 = 1 (mod N). Now, = a" -1 — 1 = (a p — 

JV — 1 N — l 

l)$> p (a p ) (mod N). Since a is a p-th power non-residue, then a p —1^0 (mod 

N-1 

N) and this implies, N being prime, that $ p (a p ) = (mod N). 
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Conversely, assume that $ p (a Kp " l ) = (mod N). Put X = a K , then ^ P {X P " ') 
(mod N). It follows that X p " = 1 (mod N). Now, let q < y/N be a prime divisor 
of N, then it also holds that $ p (X pn ~ I ) = (mod q) and X p " = 1 (mod q). Thus, 
the order of X in Z* is a divisor of p" , but if X p3 = 1 (mod q) with j < n would 
imply that p — 3> p (l) = (mod g) which is clearly a contradiction. Consequently, 
the order of X in Z* is p™. It follows that p n \q — 1 and p n < q < \/N and then 
p2n < TV = Xp™ + 1, so p" < K a contradiction. □ 

The theorem above can be restated in the following way. 

Theorem 6. Let N = Kp n + 1. where p is a prime and gcd(K,p) = 1. If p n > K, 
then: 

iV-l 

$p(a p ) = 0(mod N ) <^> N is prime and a is a p-th power non-residue modulo N . 

N — l 

Proof. It is enough to observe that if $ p (a p ) = (mod N), then N is prime 
(like in the previous proof) and a ^ x p (mod N) for, if it was the case, then 
= ^(a^V 1 ) = ^ p (x N ^ 1 ) = $ p (l) = p (mod N); a contradiction. □ 

This result, like Proth's theorem, is really useful since if Kp n + 1 is prime, only 
| of the possible choices for a is a p-th power residue modulo N. Nevertheless, the 
interest of this result is mainly theoretical as a genuine generalization of Proth's 
theorem. An even more useful generalization, not requiring an adequate choice for 
a, will be presented in forthcoming sections. 

3. A GENERALIZATION OF MlLLER-RABIN PRIMALITY TEST 

The so-called Miller- Rabin probabilistic primality test [20] test applies to integers 
in the form N — K2 n + 1 (K odd) and is based in Fermat's little theorem and in 
the fact that, the only solutions of x 2 = 1 (mod p) (p prime) are x = ±1 (mod p). 
In fact we have the following (see [TSJ Theorem 3.5.1.]): 

Theorem 7. Let N = K2 n + 1 be prime. If a > 1, then one of the following holds: 

i) a K = 1 (mod N ). 

ii) There exists < j < n such that (a K2 ) = — 1 (mod N). 

This probabilistic test, in spite of being more demanding than Fermat's test, 
presents many pseudoprimes (called strong pseudoprimes) and is specially unreli- 
able if n is small. Nevertheless, for big values of n, as in the case of Proth numbers, 
the test is very reliable and, as we will see in the next section, it allows to certify 
the primality of the numbers that pass it. 

We must point out that the generalization of Miller-Rabin test is really simple, 
even though more than two decades passed by until the first publication in this 
direction. Berrizbeitia and Berry (see [J]) generalized the Strong Pseudoprime Test 
introducing the concept w-prime to base a and more recent work by Berrizbeitia 
and Olivieri (see [S]) goes in the same direction. Nevertheless, we think that these 
works do not present a genuine generalization. In fact, Miller-Rabin test admits a 
very natural generalization for integers in the form N = Kp n + 1 with p prime, K 
even and gcd(K,p) = 1. This generalization (that we shall call the p-Miller- Rabin 
test) is based in the following result: 
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Theorem 8. Let p be a prime number and K be and even number with gcd(K,p) = 
1. If N = Kp n + 1 is prime, then for every integer a > 1 such that gcd(a, N) = 1 
one of the following holds: 

i) a K = 1 (modN). 

ii) T/iere exists < j < n - 1 suc/i i/mi $ p (a- ffp3 ) = (mod A 7 ,). 

Proof. If TV is a prime, then a Kpn = 1 (mod N). If a K ^ 1 (mod AT), let 1 < r < n 
be the smallest integer such that a KpT = 1 (mod N). Then a Kpr ^ 1 (mod N) 
and the primality of N implies that & p (a Kp ) = (mod N) as in Theorem 6. It 
is enough to put j = r — 1 to complete the proof. □ 

Definition 1. A p-strong probable prime to base a is a number satisfying conditions 
i) and ii) of Theorem 9 for some p, prime divisor of AT — 1. If it is in fact composite, 
we will say that it is a p-strong pseudoprime to base a. 

This generalization of Miller-Rabin test allows to choose the most appropriate 
prime factor of A^ — 1 in which to base the test. In the case of generalized Proth 
numbers A^ = Kp n + 1 it seems that the prime p should be the most suitable 
choice; nevertheless, computational experiments reveal that the number of g-strong 
pseudoprimes does not depend significantly on the chosen divisor of A 7 " — 1. More- 
over, the classic Miller-Rabin test presents in general less pseudoprimes than the 
proposed generalization. Nonetheless, this new test can be modified to become a 
deterministic primality test for Proth numbers (K < 2") and generalized Proth 
numbers (N = Kp n + 1 with K < p n ). This modification is the main contribution 
of this paper and will be developed in the following section. 

Also, since N — 1 will have in general several prime divisors, it makes sense to 
combine the new test not only using different bases, but also using different prime 
divisors of N — 1. This idea suggests the following definition. 

Definition 2. A p-strong probable prime (resp. p-strong pseudoprime) to base a 
for every p prime divisor of N — 1, will be denoted as a complete strong probable 
prime (resp. complete strong pseudoprime) to base a. 

Unfortunately, although the concept of complete strong probable prime is more 
subtle than that of p-strong probable prime, computational evidence suggest that 
it is more convenient to use the test combining different bases rather than different 
prime divisors of N — 1 . To illustrate this statement it is enough to point out that 
the smallest 2-strong pseudoprime to bases 2 and 3 is 1373653, while there are 10 
complete strong pseudoprimes to base 2 smaller than that number; namely: 2047, 
3277, 4033, 8321, 65281, 80581, 85489, 88357, 104653 and 130561. 

4. A SUFFICIENT CONDITION FOR THE PRIMALITY OF GENERALIZED PROTH 

NUMBERS. 

We will now see that passing the p-Miller-Rabin test, together with a bounding 
condition on j (see Theorem 8), gives a sufficient condition for primality. 

Theorem 9. Let N = Kp n + 1 where p is a prime and gcd(K,p) = 1. If there 
exists 1 < j < n such that: 

i) ^ p {2 Kp0 ' 1 ) = (mod N). 

ii) 2j>log p (A:)+n. 
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Then N is prime. 

Proof. Put X = 2 K , then X pl = 1 (mod N). Let q < \/N be a prime divisor of 
N. It follows that the order of X in Z* is exactly %P . Consequently %P\q — 1 and 

p j <q<VN from which it follows that p 2 > < N = Kp n + 1. Finally, if p 2j < Kp n 
then 2j < log p K + n; a contradiction and the proof is complete. □ 

Remark 1. The theorem above is still true if we replace 2 by any other base a. It 
is enough to put X = a K in the proof. 

Corollary 1. Let N — Kp n + 1 where p is a prime number with gcd(K,p) = 1. 
Let us consider the sequence So — 2 , Si = Sf_ 1 for all i > 1. If for some 
j > ^(log p (K) + n) it holds that $> p (Sj) = (mod N), then N is prime. 

If we consider the case p = 2; i.e., the classical Proth numbers, then we get the 
following corollary. 

Corollary 2. Let N = K2 n + 1 with K an odd integer. Let us consider the sequence 
S = 2 K , Si = £?_! for all i > 1. If for some j > ^(log^if) + n) it holds that 
Sj ■ = — 1 (mod N), then N is prime. 

5. Algorithm and Computational complexity 

Since 2004, when the polynomial time AKS algorithm was presented (see 0), 
primality algorithms of general nature were ostracized. That was the case of the 
deterministic primality test running in (logn)°( losloslos ™) time presented by Adle- 
man, Pomerance and Rumely (see [1]). This algorithm, later improved by Cohen 
and Lcnstra (see [H]), is known as the APRCL algorithm. Nevertheless, and despite 
being one of the cornerstones of Computational Number Theory, AKS algorithm 
has not been very useful in practice. This is because numbers for which AKS algo- 
rithm is faster than the usual ones are beyond current computation capacity. Even 
the so-called practical versions of the AKS algorithm (see [3] , for instance) are not 
fast enough. As a consequence, prime "hunters" focus in families of integers for 
which primality can be determined by useful algorithms. For restricted families of 
integers much faster algorithms are known, the most celebrated being the Lucas- 
Lehmer algorithm (see [E]), used for Mersenne Numbers, which runs in 0((logn) 2 ) 
time. Proth, in |19j . gives an algorithm running also in O(logn) 2 ) time, which ap- 
plies to numbers such that vi(n — 1) > \ log 2 n where 2 I ' 2 ( m ) is the biggest power 
of 2 dividing m and provided an integer a is given such that the Jacobi symbol 
(^) = —1. Proth's algorithm is not deterministic for every n. Later, Williams [24] 
or Konyagin and Pomerance [15] have extended these techniques to wider families 
of integers. 

Unless a surprising discovery is made, the computational complexity of any pri- 
mality test has a lower bound given by the complexity of the modular exponentia- 
tion required by Fermat's test. With this idea in mind, the best that a primality 
test for an integer N can do is to run in 0(log 2 (A) log(log(A)) log(log(log(7V)))) 
time. However, even for this complexity, there can be great differences between two 
different tests depending on the number of modular exponentiations a* -1 required. 
Below we describe an algorithm implementing Corollary 1 which, in fact, requires 
just one modular exponentiation of the kind a* -1 through n modular exponentia- 
tions each of them of complexity 0(log(N) log(log(A)) log(log(log(A r )))). 
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Algorithm. 

INPUT: K,p,n,a.; N := Kp n + 1. S := a K . 
STEP 1: If S = 1 (mod N) 

then RETURN: "N is a p-strong-probable prime to base a" . STOP. 
STEP 2: For i = 1 to n 

Si = Sf_! (mod N) 

If Si = 1 (mod AT) and $ p (Si_i) = (mod AT) 

then Let j:=i. GOTO STEP 3 

If 5i = 1 (mod N) and $ p (Si_i) ^ (mod AT) 

then RETURN: "N is COMPOSITE" . STOP 

End 

RETURN: "N is COMPOSITE" . STOP 
STEP 3: If 2j < log p K + n 

then RETURN: U N is a p-strong-probable prime to base a" . STOP. 
If 2j > log p K + n RETURN: "N is PRIME". STOP. 

Proposition 1. For N = Kp n + 1 with fixed K and p, the complexity of the 
algorithm above is 0(log 2 (N). 

Proof. Only steps 1 and 2 cause complexity, since step 3 is obviously irrelevant. 

Complexity of steps 1 is that of the modular exponentiation a K (mod N) . Taking 
into account that products modulo A^ can be performed by Schoenhage-Strassen 
algorithm (see [21]) with complexity: 

O(log(A0 log(log(A0) log(log(log(A0))), 

this is the complexity of step 1. 

In step 2 n modular exponentiation with the same complexity as in step 1 are 
carried out. Thus, since n = log p ( N ^ ), the complexity of this step is: 

O(log 2 (A0 log(log(A0) log(log(log(A0))). 
And, summarizing, the whole complexity is 0(log 2 (A"). □ 

For generalized Proth numbers (K < p n ). If we consider Sj := a Kp ' where 



J := 



l°gp K+n 



J , it is easy to see that if Sj ^ 1 (mod N) then the algorithm always 
certifies the primality or compositeness of Kp n + 1. In this case we can consider 
the following algorithm: 



Algorithm. 

INPUT: K,p, n, a.; N := Kp n + 1. J := 



l°g B K+n 



\ . Sj := a K P' 



STEP 1: If Sj = 1 (mod N) 

then RETURN: "AT is a p-strong-probable prime to base a" . STOP. 

else RETURN: "AT will be certified either as prime or composite" . 
STEP 2: For i = J + 1 to n 

S, = (mod N) 

If Si = 1 (mod AT) and <S> p (Si-i) = (mod AT) 

Then RETURN: "N is PRIME" 

Else RETURN: "N is COMPOSITE" . STOP 

End 

RETURN: li N is COMPOSITE" . STOP 
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We will now see that for moderately big values of n, the probability that the 
algorithm does not certify the primality of a prime of the form TV = Kp n + 1 without 
choosing more that one base is extremely small and that it decreases with p. This is 
not the case for the test based in Pocklington's theorem since, regardless the value 
of n, the use of several bases to certify the primality of TV is quite frequent. To do 
so, we first present a quite well-known lemma. 

Lemma 1. If N — Kp n + 1 is prime, the the number of p s -th powers modulo TV 
( different from and 1 ) is: 

^— !- - 1 = Kp n - S - 1. 

pS 

With the use of this lemma we can prove the following proposition. 

Proposition 2. Given a prime TV — Kp n + 1 (K < p n ) and a random base 
< a < n, the probability that the algorithm returns "p-strong probable prime" is: 

lo gj) (K)+n I 



Kpl 2 J - 1 
Kp n - 1 ' 



\o gp (K)+n 
2 



Proof. The algorithm returns "TV is p-strong probable prime" when J := 

satisfies that a J = 1 (mod TV). This will happen if a is residual power of order n — J 
modulo TV. But, by the previous lemma, the probability that this happens is: 



Kp J - 1 Kp 
TV-2 ~ Kp n - 1 



□ 



Remark 2. For big values of n the probability that a prime of the form N = Kp n +1 
is certified as p-strong probable prime is about p~™/ 2 . 

Steps 1 and 2 in the algorithm perform the computation of the power a w_1 
(mod TV) in a controlled way in the sense that if some power a Kv% = 1 (mod N) the 
computation stops. Thus, we can say that the computational cost of the algorithm 
is that of one modular exponentiation of the kind a" -1 carried out by n modular 
exponentiations taking into account that: 

a k P " = (( a fc)P)P ! " P , 

Moreover, for values of p with "many" l's or "many" O's in its binary expansion 
(like for Mersenne or Fermat primes), the presented algorithm can use this fact 
to perform the p-th power in a faster way that with the standard repeat squar- 
ing technique; achieving an execution in half the time than the standard modular 
exponentiation. 

To sum up, the presented algorithm improves every primality test requiring more 
than the computation of a power of the kind o* -1 (mod TV) or similar. It also equals 
those requiring one such power, even performing better for some particular values 
of p. 
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6. Appeal to implementers 

Although the authors have not implemented the proposed algorithm with an 
appropriate technology, and using Mathematica® only primes up to 100000 digits 
have been tested, they are in condition to make some considerations that might 
encourage implementers to create a software based in this paper. Taking into 
account that our algorithm requires a number of computations similar to that of 
Fermat's test (or even less) we have compared the time required to certify the 
primality of the four biggest known primes in the family N = 2 • 3™ + 1 , recently 
found by David Broadhurst with the estimated time required by our algorithm. Of 
course, the runtime of OpenPFGW depends on the "lucky" choice of the bases used 

AT — 1 

to perform Pocklington's test (namely, the chosen base a should satisfy gcd(a — ~ — 
1, N) — 1). OpenPFGW also fails when the tested number is a Fermat pseudoprimc 
for several bases (with a resounding failure when it is a Carmichael number) , since 
it is unable to quickly detect the compositeness of these numbers. However, our 
algorithm would require only one modular exponentiation of the kind a"" 1 , thus 
becoming preferable to any other algorithm for generalized Proth numbers. To be 
true, also our algorithm could require a second choice for the base. But this would 
happen, for n = 1175232 with probability about 8.25 x 1CT 280365 . 

In the table below we show the bases used by OpenPFGW (Version 3.4.3) to 
certify the primality of each N (in one case in needed 7) , the runtime in an Intel 
corc2 Duo P7450 @ 2.13 GHz with 4Gb of RAM and the estimated runtime for our 
algorithm. We also show the ranking of the considered primes among the known 
primes up to date. All of them are among the 1000 bigger known primes, and the 
biggest one is among the 100 bigger ones and, remarkably, are among the very few 
big primes not belonging to the most investigated families: Mersenne, generalized 
Fermat, Cullen, Woodall, Proth, generalized Cullen and generalized Woodall. It 
seems to us that the families Kp n + 1 have not been deeply investigated except for 
the case p = 2. 



N = 2-3 n + l,n= 


529680 


1074726 


1086112 


1175232 


Number of digits 


252722 


512775 


518208 


560729 


Absolute Ranking 


895-th 


102-th 


101-th 


87-th 


Bases used by OpenPFGW 


2,3 


2,3,17,23,29,31,41 


2 


2,3,5 


Runtime OpenPFGW (in s.) 


1531. 


21865. 


3220. 


14537 


Estimated runtime our algorithm 


766. 


3124. 


3220. 


4845 



We want to stress the importance of take advantage of the structure of Mersenne 
and Fermat primes in order to reduce the required time for the modular exponen- 
tiations in our algorithm. Consider for instance the search for primes of the form 
K ■ 127™ + 1. Our algorithm requires to perform n modular exponentiations of 
the kind b 127 . For each of them, performed by the standard repeated squaring 
algorithm 12 modular products are required, but considering that 6 127 = b 12S /b 
only 7 products and a division would be required; a 33% save. More generally, for 
p = 2 s — 1 (a Mersenne prime) only s products and a division will be required, while 
the standard method requires 2(s — 1) products. Thus, asymptotically, one gets a 
50% save. Moreover, even though p is not a Mersenne or Fermat prime, if there 
are many l's or 0's in the binary expansion of p ad hoc strategies can be developed 
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in order to optimize the algorithm. This would be the case of primes of the form 
2 s ± 2* ± 1, for instance. 
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